Add to collection(s) Add to saved
  1. Business
  2. Management

to read the article

advertisement 
ANDERSON’S AUDIT EXPRESS
INTERNAL CONTROLS...
SO MUCH TIME FOR SO LITTLE BENEFIT
BY ALAN W. ANDERSON
W
hile I often wonder if an auditor understands what is required when s/he performs the internal control
procedures contained in audit programs, I am also confident that most auditors question the benefit of
completing the procedures. In spite of the fact that there is little perceived benefit, auditors continue to
complete all the steps on the “canned” audit programs because they don’t question the efficacy of the
forms as it relates to the client.
Auditing “military style”…..doing what you are told without question, may work in the military but not in the audit.
A fundamental component of the audit itself is to ask questions, something one of my mentors in my early years coached
everyone to do. Yes, his words to “just ask questions” will make you a better auditor.
Without asking questions to gain a better understanding and simply following the forms leads to the auditor’s
perception of “so much time for so little benefit.” Instead, by asking questions to gain a better understanding will help you
determine if there is a better and more efficient way. This article focuses on several important questions and offers ideas to
help auditors develop a better and more efficient way to understand the client’s internal control.
© Copyright 2012 Alan W. Anderson, used with permission.
WHY DOES THE AUDITOR NEED TO CONSIDER INTERNAL CONTROL AS A PART OF THE AUDIT?
All audit standards are designed to assist the auditor
in minimizing audit risk. Since audit risk (the risk of issuing
a clean opinion when the financial statements contain a material error) exists on every audit, the auditor is expected to
focus audit effort in the areas where they believe there could
be a risk of material misstatement (RMM).
When the Audit Standards Board (ASB) issued
the risk based standards in 2006, they eliminated the ability for the auditor to “opt out” of completing any internal
control procedures by assessing internal control risk at the
maximum. The ASB believed that when an account carried
potential for the risk of material misstatement, the auditor
should make a determination if internal control over that
account had the ability to mitigate that risk. As such, the
standards require the auditor to determine if the design of
controls at the client has the ability to prevent or detect a
material misstatement. If the design is deemed to be sufficient, the auditor is then required to determine if the design
has been implemented by performing a walkthrough.
DO I NEED TO DETERMINE THE DESIGN OF INTERNAL
CONTROL FOR ALL ACCOUNTS OR CLASSES OF
TRANSACTIONS?
est risk. Gaining an understanding of a key control helps the
auditor determine the audit plan. Identifying all controls,
on the other hand, in an unnecessary use of time and doesn’t
add any additional value to the audit process.
IF I DON’T HAVE TO LOOK AT ALL ACCOUNTS OR ALL
CONTROLS, WHY DO THE “CANNED” AUDIT PROGRAMS
HAVE EVERY ACCOUNT AND ALL CONTROLS FOR THE
AUDITOR TO CONSIDER?
The “canned” programs that many firms use generally will cover all areas and all controls. The developers of
these programs attempt to provide the auditor with virtually
every potential scenario so nothing is missed. The developers cannot prepare a generic set of forms and procedures that
assumes a low level of client complexity or make assumptions about RMM. As such, these packages assume a high
level of audit complexity and that all accounts or classes of
transactions contain RMM. It is the expectation that the
auditor will focus and refine their level of effort based upon
the nature of their client. This is something only the auditor,
who, by asking questions, can answer.
THOSE “CANNED” FORMS SEEM SO COMPLEX. HOW
WOULD I GO ABOUT MODIFYING THEM TO MATCH THE
COMPLEXITY OF MY CLIENT SITUATION?
No. This is one area where the auditor spends unnecessary time. Many auditors dive into completing all
the internal control forms without first determining which
accounts or classes of transactions contain the potential of
RMM. The auditor is required to understand the design of
internal control for only the RMM accounts or classes of
transactions. If you currently document the design of internal control on non RMM accounts, make a note for next
year to have the audit team focus only on the RMM accounts.
The forms are in the audit package are merely tools
and not requirements. The method of documentation the
auditor chooses is always a matter of professional judgment.
The methods of documentation include flowcharts, narratives, questionnaires and client-prepared manuals. In many
situations, it may be far more efficient to develop your own
streamlined documentation methodology based in the client
and/or the client’s industry. Creating your own streamlined
approach allows you to focus on only the RMM accounts
and key control(s) rather than all accounts and all controls.
DO I NEED TO DETERMINE EVERY CONTROL THAT EXISTS
HOW CAN I BEST DETERMINE A KEY CONTROL OR KEY
FOR THE ACCOUNT OR CLASS OF TRANSACTIONS?
No. The standards ask the auditor to determine the
key control or controls that would have the ability to prevent or detect a material misstatement. The standards do not
ask the auditor to determine all controls.
Many auditors spend a significant amount of time
determining all of the controls rather than determining a
key control or controls. It is important to remember that
these requirements are all about helping the auditor design
better the substantive audit procedures in areas of the great-
CONTROLS?
The auditor needs to first understand the two types
of internal controls that can be in place in an organization;
namely preventive and detective. A preventive control is a
control that is designed to prevent a material misstatement
from ever being recorded in the records of the client. An
example of a preventive control is the advance approval of a
purchase order. Generally, preventive controls are placed at
the transaction level and occur every time a transaction takes
place.
© Copyright 2012 Alan W. Anderson, used with permission.
Detective controls are controls that are designed
to identify a misstatement after it has been recorded in the
books and records of the client. A typical detective control
is the preparation of account reconciliation. Detective controls generally occur at month end as the books and records
are being closed for the month.
I generally recommend that the auditor look first
for detective controls related to a RMM account or class of
transactions. They are easier to identify and since they are
mainly month-end controls they occur only twelve times a
year and many are looked at as a part of your year-end audit
procedures.
Most internal control documentation packages,
however, typically identify preventive controls first and then
move to detective controls. This happens because the forms
follow the typical approach to process flow in an organization. They start with initiation of a transaction, move to the
processing of the transaction which then leads to the recording of the transaction in the general ledger which ultimately
ends up being reported in the financial statements of the
client.
In summary, the key process flow terms are:
• Initiation
• Processing
• Recording
• Reporting
Documenting internal control following the above
process flow generally results in excess documentation and
the identification of most if not all controls. Both types of
controls work to manage the risk of material misstatement,
and it is the auditor’s challenge to determine which control
or controls can be considered a key control.
I recommend reversing the order when looking for
a key control or controls in an RMM account or class of
transactions. Start by looking for a detective control first at
the reporting level, then move to recording if you cannot
determine a key control at the financial reporting level. In
most companies, you will be able to identify sufficient detective controls in place within those two levels to satisfy
your audit needs.
WHAT AM I EXPECTED TO DO WHEN MY CLIENT
DOESN’T HAVE DECENT INTERNAL CONTROLS?
In many smaller organizations, it is very possible
that there may not be any internal controls in place to prevent or detect a material misstatement. Again, the purpose
of the audit standard is to identify a key control or controls
that could potentially mitigate the risk of material misstate-
© Copyright 2012 Alan W. Anderson, used with permission.
ment. If no controls exist, you can only conclude that there
are no controls in place to mitigate the risk of material misstatement and adjust the audit procedures accordingly.
In situations such as this, document your conclusion that controls are not in place for the RMM account
or class of transactions, adjust substantive audit procedures
and consider the SAS 155 implications to communicate this
material weakness to your client.
IN SUMMARY
Performing internal control procedures should not
be as time consuming as they tend to be. The auditor can be
far more efficient if s/he considers the following key points:
1) Identify the RMM accounts and classes of transactions
2) Identify a key control or controls not all controls
3) Focus on detective controls rather than preventive
controls
4) Find the key control or controls by considering
reporting and recording steps first
5) When no controls exist, document your conclusion and move to SAS 115 communication
A word on walkthroughs – When the above
suggestions are considered, the time that is takes to complete
a walkthrough is reduced as well. The auditor will only need
to walkthrough one or a few controls rather that all controls.
In addition, when the focus is on detective controls, which
tend to be month-end controls, you are likely looking at
many of those controls during your normal audit procedures
and will not need to make the walkthrough a separate step.
It can be included at a part of your normal audit process.
© Copyright 2012 Alan W. Anderson, used with permission.
CLICK HERE TO REGISTER
FOR THIS SELF-STUDY SESSION
ANDERSON’S AUDIT EXPRESS
SELF-STUDY 9
“INTERNAL CONTROLS:
SO MUCH TIME FOR SO LITTLE BENEFIT”
DESCRIPTION: Through the eyes of the client, internal control may be just another time-consuming exercise the auditor performs
as part of the audit process. In reality, internal control may be one of the most beneficial aspects of the audit. Internal control
is management’s responsibilities, yet the audit process can bring to the forefront areas of weakness that can help the client more
than imagined.
COURSE TYPE: Self-study
CPE HOURS: 2
DESIGNED FOR: Audit partners, managers and staff who want to provide high quality client service while streamlining and making their audit process more cost effective.
OBJECTIVE: This session will help you and your audit team, design, build, inspect and deliver an efficient audit that has more
meaning for your client.
PREREQUISITES: Experience as a member of an audit team.
ADVANCED PREP: None.
© Copyright 2012 Alan W. Anderson, used with permission.
Related documents
Case
Case
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Accounting 241 Outline
Accounting 241 Outline
Green Impact Auditor
Green Impact Auditor
analisa pengaruh struktur kepemilikan dan dewan
analisa pengaruh struktur kepemilikan dan dewan
Auditor Reporting ppt
Auditor Reporting ppt
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Download
advertisement